RubyGems - grpc - Versions diffs - 1.30.2 → 1.32.0 - Mend

grpc 1.30.2 → 1.32.0

Potentially problematic release.

This version of grpc might be problematic. Click here for more details.

Files changed (674) hide show

data/third_party/boringssl-with-bazel/src/ssl/handoff.cc CHANGED

@@ -632,7 +632,7 @@ bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
     case handback_after_session_resumption:
       // The write keys are installed after server Finished, but the client
       // keys must wait for ChangeCipherSpec.
-      if (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session->cipher,
+      if (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session,
                                write_iv)) {
         return false;
       }
@@ -642,9 +642,9 @@ bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
       break;
     case handback_after_handshake:
       // The handshake is complete, so both keys are installed.
-      if (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session->cipher,
+      if (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session,
                                write_iv) ||
-          !tls1_configure_aead(ssl, evp_aead_open, &key_block, session->cipher,
+          !tls1_configure_aead(ssl, evp_aead_open, &key_block, session,
                                read_iv)) {
         return false;
       }

data/third_party/boringssl-with-bazel/src/ssl/handshake.cc CHANGED

@@ -441,7 +441,7 @@ enum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs) {
   uint8_t finished[EVP_MAX_MD_SIZE];
   size_t finished_len;
   if (!hs->transcript.GetFinishedMAC(finished, &finished_len,
-                                     SSL_get_session(ssl), !ssl->server) ||
+                                     ssl_handshake_session(hs), !ssl->server) ||
       !ssl_hash_message(hs, msg)) {
     return ssl_hs_error;
   }
@@ -484,7 +484,7 @@ enum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs) {
 bool ssl_send_finished(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
-  const SSL_SESSION *session = SSL_get_session(ssl);
+  const SSL_SESSION *session = ssl_handshake_session(hs);
   uint8_t finished[EVP_MAX_MD_SIZE];
   size_t finished_len;
@@ -541,6 +541,13 @@ bool ssl_output_cert_chain(SSL_HANDSHAKE *hs) {
   return true;
 }
+const SSL_SESSION *ssl_handshake_session(const SSL_HANDSHAKE *hs) {
+  if (hs->new_session) {
+    return hs->new_session.get();
+  }
+  return hs->ssl->session.get();
+}
 int ssl_run_handshake(SSL_HANDSHAKE *hs, bool *out_early_return) {
   SSL *const ssl = hs->ssl;
   for (;;) {

data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc CHANGED

@@ -1268,10 +1268,10 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) {
   uint32_t alg_k = hs->new_cipher->algorithm_mkey;
   uint32_t alg_a = hs->new_cipher->algorithm_auth;
   if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
-    CRYPTO_BUFFER *leaf =
+    const CRYPTO_BUFFER *leaf =
         sk_CRYPTO_BUFFER_value(hs->new_session->certs.get(), 0);
     CBS leaf_cbs;
-    CBS_init(&leaf_cbs, CRYPTO_BUFFER_data(leaf), CRYPTO_BUFFER_len(leaf));
+    CRYPTO_BUFFER_init_CBS(leaf, &leaf_cbs);
     // Check the key usage matches the cipher suite. We do this unconditionally
     // for non-RSA certificates. In particular, it's needed to distinguish ECDH

data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc CHANGED

@@ -1436,6 +1436,15 @@ static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) {
     return ssl_hs_error;
   }
+  // The peer certificate must be valid for signing.
+  const CRYPTO_BUFFER *leaf =
+      sk_CRYPTO_BUFFER_value(hs->new_session->certs.get(), 0);
+  CBS leaf_cbs;
+  CRYPTO_BUFFER_init_CBS(leaf, &leaf_cbs);
+  if (!ssl_cert_check_key_usage(&leaf_cbs, key_usage_digital_signature)) {
+    return ssl_hs_error;
+  }
   CBS certificate_verify = msg.body, signature;
   // Determine the signature algorithm.

data/third_party/boringssl-with-bazel/src/ssl/internal.h CHANGED

@@ -1650,6 +1650,10 @@ struct SSL_HANDSHAKE {
   // advertise this extension to the client.
   Array<uint16_t> peer_supported_group_list;
+  // peer_delegated_credential_sigalgs are the signature algorithms the peer
+  // supports with delegated credentials.
+  Array<uint16_t> peer_delegated_credential_sigalgs;
   // peer_key is the peer's ECDH key for a TLS 1.2 client.
   Array<uint8_t> peer_key;
@@ -1863,6 +1867,8 @@ enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs);
 bool tls13_add_finished(SSL_HANDSHAKE *hs);
 bool tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg);
+bssl::UniquePtr<SSL_SESSION> tls13_create_session_with_ticket(SSL *ssl,
+                                                              CBS *body);
 bool ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs,
                                          Array<uint8_t> *out_secret,
@@ -1938,6 +1944,11 @@ enum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs);
 bool ssl_send_finished(SSL_HANDSHAKE *hs);
 bool ssl_output_cert_chain(SSL_HANDSHAKE *hs);
+// ssl_handshake_session returns the |SSL_SESSION| corresponding to the current
+// handshake. Note, in TLS 1.2 resumptions, this session is immutable.
+const SSL_SESSION *ssl_handshake_session(const SSL_HANDSHAKE *hs);
 // SSLKEYLOGFILE functions.
 // ssl_log_secret logs |secret| with label |label|, if logging is enabled for
@@ -2740,11 +2751,6 @@ struct SSL_CONFIG {
   bool jdk11_workaround : 1;
 };
-// Computes a SHA-256 hash of the transport parameters and early data context
-// for QUIC, putting the hash in |SHA256_DIGEST_LENGTH| bytes at |hash_out|.
-bool compute_quic_early_data_hash(const SSL_CONFIG *config,
-                                  uint8_t hash_out[SHA256_DIGEST_LENGTH]);
 // From RFC 8446, used in determining PSK modes.
 #define SSL_PSK_DHE_KE 0x1
@@ -2924,13 +2930,14 @@ int dtls1_dispatch_alert(SSL *ssl);
 // determined by |direction|) using the keys generated by the TLS KDF. The
 // |key_block_cache| argument is used to store the generated key block, if
 // empty. Otherwise it's assumed that the key block is already contained within
-// it. Returns one on success or zero on error.
-int tls1_configure_aead(SSL *ssl, evp_aead_direction_t direction,
-                        Array<uint8_t> *key_block_cache,
-                        const SSL_CIPHER *cipher,
-                        Span<const uint8_t> iv_override);
-int tls1_change_cipher_state(SSL_HANDSHAKE *hs, evp_aead_direction_t direction);
+// it. It returns true on success or false on error.
+bool tls1_configure_aead(SSL *ssl, evp_aead_direction_t direction,
+                         Array<uint8_t> *key_block_cache,
+                         const SSL_SESSION *session,
+                         Span<const uint8_t> iv_override);
+bool tls1_change_cipher_state(SSL_HANDSHAKE *hs,
+                              evp_aead_direction_t direction);
 int tls1_generate_master_secret(SSL_HANDSHAKE *hs, uint8_t *out,
                                 Span<const uint8_t> premaster);
@@ -3559,9 +3566,9 @@ struct ssl_session_st {
   // is_quic indicates whether this session was created using QUIC.
   bool is_quic : 1;
-  // quic_early_data_hash is used to determine whether early data must be
+  // quic_early_data_context is used to determine whether early data must be
   // rejected when performing a QUIC handshake.
-  bssl::Array<uint8_t> quic_early_data_hash;
+  bssl::Array<uint8_t> quic_early_data_context;
  private:
   ~ssl_session_st();

data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc CHANGED

@@ -192,7 +192,7 @@ static const unsigned kEarlyALPNTag =
     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 26;
 static const unsigned kIsQuicTag =
     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 27;
-static const unsigned kQuicEarlyDataHashTag =
+static const unsigned kQuicEarlyDataContextTag =
     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 28;
 static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, CBB *cbb,
@@ -402,10 +402,10 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, CBB *cbb,
     }
   }
-  if (!in->quic_early_data_hash.empty()) {
-    if (!CBB_add_asn1(&session, &child, kQuicEarlyDataHashTag) ||
-        !CBB_add_asn1_octet_string(&child, in->quic_early_data_hash.data(),
-                                   in->quic_early_data_hash.size())) {
+  if (!in->quic_early_data_context.empty()) {
+    if (!CBB_add_asn1(&session, &child, kQuicEarlyDataContextTag) ||
+        !CBB_add_asn1_octet_string(&child, in->quic_early_data_context.data(),
+                                   in->quic_early_data_context.size())) {
       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
       return 0;
     }
@@ -752,8 +752,8 @@ UniquePtr<SSL_SESSION> SSL_SESSION_parse(CBS *cbs,
                                       kEarlyALPNTag) ||
       !CBS_get_optional_asn1_bool(&session, &is_quic, kIsQuicTag,
                                   /*default_value=*/false) ||
-      !SSL_SESSION_parse_octet_string(&session, &ret->quic_early_data_hash,
-                                      kQuicEarlyDataHashTag) ||
+      !SSL_SESSION_parse_octet_string(&session, &ret->quic_early_data_context,
+                                      kQuicEarlyDataContextTag) ||
       CBS_len(&session) != 0) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
     return nullptr;

data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc CHANGED

@@ -821,16 +821,13 @@ static bool ssl_can_serve_dc(const SSL_HANDSHAKE *hs) {
   }
   // Check that the DC signature algorithm is supported by the peer.
-  Span<const uint16_t> peer_sigalgs = tls1_get_peer_verify_algorithms(hs);
-  bool sigalg_found = false;
+  Span<const uint16_t> peer_sigalgs = hs->peer_delegated_credential_sigalgs;
   for (uint16_t peer_sigalg : peer_sigalgs) {
     if (dc->expected_cert_verify_algorithm == peer_sigalg) {
-      sigalg_found = true;
-      break;
+      return true;
     }
   }
-  return sigalg_found;
+  return false;
 }
 bool ssl_signing_with_dc(const SSL_HANDSHAKE *hs) {

data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc CHANGED

@@ -2360,6 +2360,16 @@ size_t SSL_get0_peer_verify_algorithms(const SSL *ssl,
   return sigalgs.size();
 }
+size_t SSL_get0_peer_delegation_algorithms(const SSL *ssl,
+                                           const uint16_t **out_sigalgs){
+  Span<const uint16_t> sigalgs;
+  if (ssl->s3->hs != nullptr) {
+    sigalgs = ssl->s3->hs->peer_delegated_credential_sigalgs;
+  }
+  *out_sigalgs = sigalgs.data();
+  return sigalgs.size();
+}
 EVP_PKEY *SSL_get_privatekey(const SSL *ssl) {
   if (!ssl->config) {
     assert(ssl->config);
@@ -2968,6 +2978,34 @@ void SSL_CTX_set_ticket_aead_method(SSL_CTX *ctx,
   ctx->ticket_aead_method = aead_method;
 }
+SSL_SESSION *SSL_process_tls13_new_session_ticket(SSL *ssl, const uint8_t *buf,
+                                                  size_t buf_len) {
+  if (SSL_in_init(ssl) ||
+      ssl_protocol_version(ssl) != TLS1_3_VERSION ||
+      ssl->server) {
+    // Only TLS 1.3 clients are supported.
+    OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+    return nullptr;
+  }
+  CBS cbs, body;
+  CBS_init(&cbs, buf, buf_len);
+  uint8_t type;
+  if (!CBS_get_u8(&cbs, &type) ||
+      !CBS_get_u24_length_prefixed(&cbs, &body) ||
+      CBS_len(&cbs) != 0) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
+    return nullptr;
+  }
+  UniquePtr<SSL_SESSION> session = tls13_create_session_with_ticket(ssl, &body);
+  if (!session) {
+    // |tls13_create_session_with_ticket| puts the correct error.
+    return nullptr;
+  }
+  return session.release();
+}
 int SSL_set_tlsext_status_type(SSL *ssl, int type) {
   if (!ssl->config) {
     return 0;

data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc CHANGED

@@ -269,8 +269,8 @@ UniquePtr<SSL_SESSION> SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) {
       return nullptr;
     }
-    if (!new_session->quic_early_data_hash.CopyFrom(
-            session->quic_early_data_hash)) {
+    if (!new_session->quic_early_data_context.CopyFrom(
+            session->quic_early_data_context)) {
       return nullptr;
     }
   }
@@ -349,25 +349,6 @@ const EVP_MD *ssl_session_get_digest(const SSL_SESSION *session) {
                                   session->cipher);
 }
-bool compute_quic_early_data_hash(const SSL_CONFIG *config,
-                                  uint8_t hash_out[SHA256_DIGEST_LENGTH]) {
-  ScopedEVP_MD_CTX hash_ctx;
-  uint32_t transport_param_len = config->quic_transport_params.size();
-  uint32_t context_len = config->quic_early_data_context.size();
-  if (!EVP_DigestInit(hash_ctx.get(), EVP_sha256()) ||
-      !EVP_DigestUpdate(hash_ctx.get(), &transport_param_len,
-                        sizeof(transport_param_len)) ||
-      !EVP_DigestUpdate(hash_ctx.get(), config->quic_transport_params.data(),
-                        config->quic_transport_params.size()) ||
-      !EVP_DigestUpdate(hash_ctx.get(), &context_len, sizeof(context_len)) ||
-      !EVP_DigestUpdate(hash_ctx.get(), config->quic_early_data_context.data(),
-                        config->quic_early_data_context.size()) ||
-      !EVP_DigestFinal(hash_ctx.get(), hash_out, nullptr)) {
-    return false;
-  }
-  return true;
-}
 int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server) {
   SSL *const ssl = hs->ssl;
   if (ssl->mode & SSL_MODE_NO_SESSION_CREATION) {
@@ -384,9 +365,8 @@ int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server) {
   session->ssl_version = ssl->version;
   session->is_quic = ssl->quic_method != nullptr;
   if (is_server && ssl->enable_early_data && session->is_quic) {
-    if (!session->quic_early_data_hash.Init(SHA256_DIGEST_LENGTH) ||
-        !compute_quic_early_data_hash(hs->config,
-                                      session->quic_early_data_hash.data())) {
+    if (!session->quic_early_data_context.CopyFrom(
+            hs->config->quic_early_data_context)) {
       return 0;
     }
   }

data/third_party/boringssl-with-bazel/src/ssl/ssl_versions.cc CHANGED

@@ -193,11 +193,11 @@ bool ssl_get_version_range(const SSL_HANDSHAKE *hs, uint16_t *out_min_version,
     min_version = TLS1_3_VERSION;
   }
-  // OpenSSL's API for controlling versions entails blacklisting individual
-  // protocols. This has two problems. First, on the client, the protocol can
-  // only express a contiguous range of versions. Second, a library consumer
-  // trying to set a maximum version cannot disable protocol versions that get
-  // added in a future version of the library.
+  // The |SSL_OP_NO_*| flags disable individual protocols. This has two
+  // problems. First, prior to TLS 1.3, the protocol can only express a
+  // contiguous range of versions. Second, a library consumer trying to set a
+  // maximum version cannot disable protocol versions that get added in a future
+  // version of the library.
   //
   // To account for both of these, OpenSSL interprets the client-side bitmask
   // as a min/max range by picking the lowest contiguous non-empty range of

data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc CHANGED

@@ -189,21 +189,36 @@ static bool get_key_block_lengths(const SSL *ssl, size_t *out_mac_secret_len,
   return true;
 }
-int tls1_configure_aead(SSL *ssl, evp_aead_direction_t direction,
-                        Array<uint8_t> *key_block_cache,
-                        const SSL_CIPHER *cipher,
-                        Span<const uint8_t> iv_override) {
+static bool generate_key_block(const SSL *ssl, Span<uint8_t> out,
+                               const SSL_SESSION *session) {
+  auto master_key =
+      MakeConstSpan(session->master_key, session->master_key_length);
+  static const char kLabel[] = "key expansion";
+  auto label = MakeConstSpan(kLabel, sizeof(kLabel) - 1);
+  const EVP_MD *digest = ssl_session_get_digest(session);
+  // Note this function assumes that |session|'s key material corresponds to
+  // |ssl->s3->client_random| and |ssl->s3->server_random|.
+  return tls1_prf(digest, out, master_key, label, ssl->s3->server_random,
+                  ssl->s3->client_random);
+}
+bool tls1_configure_aead(SSL *ssl, evp_aead_direction_t direction,
+                         Array<uint8_t> *key_block_cache,
+                         const SSL_SESSION *session,
+                         Span<const uint8_t> iv_override) {
   size_t mac_secret_len, key_len, iv_len;
-  if (!get_key_block_lengths(ssl, &mac_secret_len, &key_len, &iv_len, cipher)) {
-    return 0;
+  if (!get_key_block_lengths(ssl, &mac_secret_len, &key_len, &iv_len,
+                             session->cipher)) {
+    return false;
   }
   // Ensure that |key_block_cache| is set up.
   const size_t key_block_size = 2 * (mac_secret_len + key_len + iv_len);
   if (key_block_cache->empty()) {
     if (!key_block_cache->Init(key_block_size) ||
-        !SSL_generate_key_block(ssl, key_block_cache->data(), key_block_size)) {
-      return 0;
+        !generate_key_block(ssl, MakeSpan(*key_block_cache), session)) {
+      return false;
     }
   }
   assert(key_block_cache->size() == key_block_size);
@@ -224,15 +239,16 @@ int tls1_configure_aead(SSL *ssl, evp_aead_direction_t direction,
   if (!iv_override.empty()) {
     if (iv_override.size() != iv_len) {
-      return 0;
+      return false;
     }
     iv = iv_override;
   }
-  UniquePtr<SSLAEADContext> aead_ctx = SSLAEADContext::Create(
-      direction, ssl->version, SSL_is_dtls(ssl), cipher, key, mac_secret, iv);
+  UniquePtr<SSLAEADContext> aead_ctx =
+      SSLAEADContext::Create(direction, ssl->version, SSL_is_dtls(ssl),
+                             session->cipher, key, mac_secret, iv);
   if (!aead_ctx) {
-    return 0;
+    return false;
   }
   if (direction == evp_aead_open) {
@@ -246,10 +262,10 @@ int tls1_configure_aead(SSL *ssl, evp_aead_direction_t direction,
                                       /*secret_for_quic=*/{});
 }
-int tls1_change_cipher_state(SSL_HANDSHAKE *hs,
-                             evp_aead_direction_t direction) {
+bool tls1_change_cipher_state(SSL_HANDSHAKE *hs,
+                              evp_aead_direction_t direction) {
   return tls1_configure_aead(hs->ssl, direction, &hs->key_block,
-                             hs->new_cipher, {});
+                             ssl_handshake_session(hs), {});
 }
 int tls1_generate_master_secret(SSL_HANDSHAKE *hs, uint8_t *out,
@@ -286,6 +302,11 @@ BSSL_NAMESPACE_END
 using namespace bssl;
 size_t SSL_get_key_block_len(const SSL *ssl) {
+  // See |SSL_generate_key_block|.
+  if (SSL_in_init(ssl)) {
+    return 0;
+  }
   size_t mac_secret_len, key_len, fixed_iv_len;
   if (!get_key_block_lengths(ssl, &mac_secret_len, &key_len, &fixed_iv_len,
                              SSL_get_current_cipher(ssl))) {
@@ -297,16 +318,16 @@ size_t SSL_get_key_block_len(const SSL *ssl) {
 }
 int SSL_generate_key_block(const SSL *ssl, uint8_t *out, size_t out_len) {
-  const SSL_SESSION *session = SSL_get_session(ssl);
-  auto out_span = MakeSpan(out, out_len);
-  auto master_key =
-      MakeConstSpan(session->master_key, session->master_key_length);
-  static const char kLabel[] = "key expansion";
-  auto label = MakeConstSpan(kLabel, sizeof(kLabel) - 1);
+  // Which cipher state to use is ambiguous during a handshake. In particular,
+  // there are points where read and write states are from different epochs.
+  // During a handshake, before ChangeCipherSpec, the encryption states may not
+  // match |ssl->s3->client_random| and |ssl->s3->server_random|.
+  if (SSL_in_init(ssl)) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+    return 0;
+  }
-  const EVP_MD *digest = ssl_session_get_digest(session);
-  return tls1_prf(digest, out_span, master_key, label, ssl->s3->server_random,
-                  ssl->s3->client_random);
+  return generate_key_block(ssl, MakeSpan(out, out_len), SSL_get_session(ssl));
 }
 int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,